Dropping support for SSLv3
Incident Report for Chargify
Effective immediately we are dropping support for SSLv3.

A new security attack (dubbed the POODLE attack) makes continued use of SSLv3 dangerous. After significant internal discussion (that has been ongoing for some time), SSLv3 will no longer be supported when connecting to https://app.chargify.com. A large majority of responsible websites on the internet are taking similar steps on this recommended course of action. So Chargify is not alone. We are moving fast, but following the best practices as established by the experts in internet security.

Unfortunately, this change is not without repercussions. Extremely old browsers (specifically IE 6 users on Windows XP) will no longer be able to successfully connect to Chargify. We understand this is a change not to be taken lightly. In the past we have opted to maintain backwards compatibility to avoid preventing potential customers from using Chargify. The last thing we would want to do is to stop eager customer from signing up with one of our merchants.

However, the level of attacks against poor encryption have forced us to take action. Your customers trust you to provide working and robust encryption when they enter their credit card details on a Chargify page. So we have weighed the options and decided that disabling SSLv3 is the appropriate choice. We've also performed a traffic analysis that indicates this would have affected only 5 signups across ALL of Chargify in the last month. This makes us confident that dropping support will have minimal impact for maximum gain.

If you use a very old or insecure API client, you may also find that your API client can no longer successfully negotiate an SSL connection with our servers. We know this can be very problematic because it is often very difficult to upgrade software on your systems to maintain compatibility. For that, we're very sorry. Again, we've taken this step only as a last resort. Please contact us at support@chargify.com and we'll work with you as best we can to get your integration running securely.

References:

https://isc.sans.edu/diary/OpenSSL%3A+SSLv3+POODLE+Vulnerability+Official+Release/18827
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
Posted over 2 years ago. Oct 14, 2014 - 20:20 CDT